Week 24 In Review

ENISA First 2011
The European Network & Information Security Agency (ENISA) formed in 2004. The agency supports the commission and the EU member states in the area of information security. Facilitate the exchange of information between EU institutions, the public sector and the private sector.

June 2011 OWASP Belgium Meeting Wrap Up – blog.rootshell.e
Back from the latest OWASP Belgium Chapter meeting… Two speakers were scheduled tonight: Colin Watson presented the OWASP AppSensor project then Andreas Falkenberg talked about modern attacks against web services like Twitter. A last-minute guest joined us: Josh Corman who spoke about “rugged software“.

Most Common iPhone Passcodes – amitay.us
In essence, this post is an homage to the well known Most Common Passwords on the Internet articles. Different articles pull from different sources, so naturally aren’t the same, but still demonstrate certain trends. Similar trends are evident in the data I present below.

OWASP NYC Slides Posted – gdssecurity.com
The discussion focused on identifying and exploiting Padding Oracles in custom web applications, and walked through specifics on how to use PadBuster in a variety of common scenarios. Hopefully those using PadBuster will find the second half of the deck a useful reference.

Mona 1.0 Released! – corelan.be
For anyone who missed my talks (either at AthCon or Hack In Paris), mona is the long awaited successor to pvefindaddr. Named after my daughter (I’m sure she’s too young to hackinparis_IMG_8830realize or even care at this point), this Immunity Debugger PyCommands introduces a lot of improvements and new features compared to pvefindaddr.

Welcome to WS-Attacks.org – clawslab.nds.rub.de
WS-Attacks.org is not a new web service standard by the OASIS Group or W3C; instead it presents the flaws of today’s web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.

Tools

UPDATE:The Sleuth Kit v3.2.2! – sourceforge.net/project/sleuthkit/files
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. It is a collection of open source file system forensics tools that allow one to view allocated and deleted data from NTFS, FAT, FFS, and EXT2FS images. The Autopsy Forensic Browser provides a graphical interface to The Sleuth Kit.

UDPATE: THC Hydra v6.4! – thc.org/releases/hydra-6.4-src.tar.gz
THC-HYDRA is a very fast network logon cracker which support many different services. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD and OSX.

Introducing WPScan the WordPress Security Scanner – ethicalhack3r.co.uk
WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.

OWASP iGoat 1.o – owasp.blogspot.com
The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting them first.

BodgeIt Vulnerable Web Application Platform – sectechno.com
Legal hacking is possible as you can create a vulnerable platform to test any new vulnerability without breaking Lows. Person that is looking to test his skills without thinking about proxies or hide his activities and test new web exploits can consider BodgeIt. BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

Analyzing the LulzSec Password Leak – rafekettler.com
Maybe there’s something wrong with me, but when I first heard about LulzSec releasing 62,000 passwords, I was actually pretty excited. I’ve always wanted to a little analysis on a big leak like this, and now I finally get to do one.

Hacking Oracle Business Intelligence – dsecrg.blogspot.com
Here I will show some vulnerabilities founded in Oracle BI and hoe they can be founded and how a different exploits can be written. It will be based on vulnerabilities that was patched in April CPU 2011 by Oracle. Interesting moment that founded PL/SQL vulnerabilities founded in programs that executed by privileged user but not a DBA directly so it is more interesting to find out a way to get access to whole system using those rights.

Microsoft Patch Tuesday
This security update resolves eight privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The Great Citigroup Credit Card Hack
Citigroup Inc said a cyber attack in May affected almost twice as many accounts as the bank’s figures had initially suggested, as major U.S. lenders come under growing pressure from lawmakers to improve account security.

Barr Unbowed (Interview with Aaron Barr) – threatpost.com
Aaron Barr, the former CEO of security firm HBGary Federal, is one of those unlucky few. No fountain-flopper, Barr is a respected authority on computer security whose mistake was to openly speculate on the identities of members of the online hacking group Anonymous, then watch as events spun gruesomely out of his control.

EU Ministers Seek To Ban Creation of ‘Hacking Tools’ – networkworld.com
Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission’s text, the ministers extended the draft to include “the production and making available of tools for committing offenses”.

Replacing RSA SecurID Security Tokens Not So Simple – darkreading.com
Should all RSA SecurID customers take the company up on its new offer to swap out their authentication tokens as a precaution? Not so fast, security experts warn. While RSA says it will provide replacements for SecurID tokens to allay security concerns in the wake of its breach and the subsequent related breach at Defense contractor Lockheed Martin, the move might be only a temporary fix if the attackers who compromised RSA’s SecurID servers indeed got the seed files.

The LulzSec manifesto – arstechnica.com
LulzSec certainly has enemies. Gamers in particular have been agitated by the group’s attack on login servers for games like EVE Online. Angrier, perhaps, have been those whose e-mail, Facebook, and PayPal account passwords were leaked—and who then had to watch as Twittizens celebrated the sometimes-criminal misuse of those accounts.

The Cloud-time for serious consideration-web services – shortinfosec.net
In 2008 we published an article on cloud computing, which basically said, don’t turn off your local datacenter. To be very sincere, Shortinfosec was a little hypocritical in that article – since Shortinfosec was and is hosted in the cloud.

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.